Having a simple subnet router config with Wireguard client. In order to prevent dns leaks, the WAN interface has custom DNS IP's of the ISP wireguard server/peer, as also defined in the Wireguard interface.
Noticed that after a reboot, the WAN connection cannot be established, and the Wireguard interface does not have a connection showing 0 packets.
This issue cannot be resolved by setting the correct system time.
What works - remove the custom dns ip's in the WAN interface, save & apply changes.
And then add the custom dns ip's again.
Anyone can confirm this issue? And have a simpler workaround/solution?
Don't configure DNS on WAN.
If you want to use some custom DNS on your router - configure it in DNS forwardings in DNS server (DNSmasq) configuration.
If you see a need using some specific DNS for some domain(s) like your WG server - configure it in DNS forwardings as well.
For troubleshooting purposes you can enable Log queries in DNSmasq configuration.
The DNS has to be reachable through the tunnel. An ISPs DNS is generally only accessible from inside their network, so it will be unreachable once you are tunneled to a public IP outside the ISP's network.
If you configured the wireguard peer as a name rather than a numeric IP, there will also need to be working DNS before the tunnel can start up.
Distinguish between a DNS problem and a general routing problem by trying to ping sites by their numeric IP, such as 18.104.22.168. Numeric IPs should always work even if DNS is broken.
thanks for sharing. have a similar setup like yours.
i cannot prevent dns leaks with openwrt by setting custom dns at wan level:
1- dns of wireguard peer’s isp will show the servers of belonging to isp in ipleak.net
2- public dns like google or cloudfare will show servers in the wireguard peer’s country
3- not setting dns at wan level will show servers in country of openwrt router.
1 is the best option, can live with 2 without fiddling with the router after a reboot. 3 is not ok.
if i compare this openwrt wg solution to a raspberry pi linux wg solution (eg RaspAP), i see more flexibility in the pi’s solution with regards to leak prevention and resolving the wg peer’s dns name on demand, instead of on startup time of the wg interface.
but i’ll keep my openwrt solution to find out how reliable it is. besides i can run this thing on any old router at hand
I haven't run WG on a big linux distro (although maybe I'll do that sometime soon just so I can say I have), but on Mac, iOS, and Android, the DNS that should be used once the tunnel is up is super easy to specify and works properly.
I don't entirely understand why the implementation within OpenWrt can't do this same thing, but I do believe that there are valid technical reasons for this... I'm hoping that DNS when the WG tunnel is established can be specified more easily and directly in some future version of OpenWrt.